Posts on Cloud,DevOps, Citrix,VMware and others. Also tracking my Continuous learning from Wintel to open source and development.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.

Wednesday, August 29, 2018

Foreshadow vulnerability on XenServer and XCP-ng

This is a recap on the latest Foreshadow vulnerability and how it affects XenServer and XCP-ng.

Foreshadow, XSA-273

Yet another Intel x86 security issue… Basically, someone could steal data in RAM, outside the VM boundaries (ie: from other VMs on the same host). If you have non-trusted users in your VMs, it's time to patch ASAP. And maybe disable hyper-threading.

XAPI security issue, XSA-271

An unauthenticated user with access to the management network can read arbitrary files from the dom0 filesystem. This includes the pool secret /etc/xensource/ptoken which grants the attacker full administrator access.

This is… big. Update ASAP (see below on how) or close your XAPI from outside, now! If you have hosts all around the world, another possibility is to let your XAPI only reachable from a secured tunnel, without external access.